Ransomware attacks have been hitting the headlines for a couple of years now. The hackers are moving from blanket attacks to more lucrative business attacks where the risks are as high as the ransomware demand. The figures from Coveware suggest that the average ransom organizations paid per incident in the first quarter of 2019 were $12,762.
To combat the pain points, we are seeing recent shifts in the way the government is treating cybercrime. The US Department of Justice declared ransomware to be treated with the same level of vigilance as terrorism. Also, in July 2021, the White House released a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.
Yet, this does not do much for the victims undergoing ransomware attacks. The debate begins post receiving a ransomware demand. The trigger question always remains, “to pay or not to pay?”
We conducted a social media poll, while a majority of our audience said they might not pay, many were in two minds or said they might pay as the data was important.
History of Ransomware
The idea of stealing user files by hindering system access and then demanding a ransom is quite old and has been taking place since the 1980s. One of the first ransomware attacks ever documented was the AIDS trojan that was released via floppy disk in 1989.
Yet, they were not that widespread in the 2000s until the introduction of cryptocurrencies, which changed everything. Bitcoin payments paved the way for easy transactions for cybercriminals to use. And a few hundred cases grew to about 60,000 in 2011, and more than doubled in 2012, to over 200,000. Today, ransomware has adopted data-leak extortion tactics where the hackers both encrypt the environment and exfiltrate data with the threat to leak it if the extortion demand is not paid.
The global attack volume has increased by 151 percent for the first six months of 2021. According to reports, an average ransomware attack lasts 12.1 days, but the real costs to the company are much longer. Taking into account the enhancement and improvement cost to rebuild systems, it can be anywhere between US$11 million and US$17 million.
To pay or not to pay?
As per the direct advisory from the U.S. FBI, they do not advocate paying a ransom, in part because it does not guarantee an organization will regain access to its data. Also, they believe ‘paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals.’
Despite the risks, some would still believe that paying ransomware can be a viable option and should be evaluated like any other business decision. If the priority of your organization is to recover data, minimize costs and resume operations as quickly as possible, paying seems right.
Also, incidents like in the City of Atlanta influence to pay the ransomware as it costs less to the business than not paying. Being hit with SamSam, they ended up spending $17 million to rebuild its network in March 2018 while they refused to pay $51,000 for ransomware. Similarly, Baltimore had to shell out an estimated $18 million to rebuild its networks after refusing the attacker’s demand of $76,000 in May 2019. In both cases, paying would have been a much more cost-effective solution.
On the other end, some would still not want to give in. For reasons like not paying the ransomware can help in losing the attacker’s confidence and discourage their operations. The chain reactions of not paying might distrust their networks and make the bad actors rebuild the infrastructure. A recent survey by Cybereason found that almost half of businesses that paid ransoms didn’t regain access to all of their critical data after receiving their decryption keys. So, does paying ransom help?
Ransomware negotiators are the new form of brokers who are becoming a standard part of ransomware incident response now. Their job is to make the final ransoms paid a fraction of the original demand. Ransomware has officially become a business model, a malicious and dirty one nonetheless. Its definitions are evolving with every unique case emerging and remain to further unfold with the upcoming ransomware-as-service (RaaS).
Whether you decide to give in or not, decision-makers should give these questions a check:
- How critical is the data to the present or future success of my organization?
- How urgent is the restoration of data?
- Is it ethical or criminal to make a ransom payment?
And post-attack sanitization of systems and recovery steps must be executed on an enterprise level. It is crucial for the victim organizations to close the vulnerability gaps and adopt cyber resilience for the future. It’s best to not rely on just one solution; utilize multiple, layered, solutions for the best possible protection.
In the End…
Sometimes, the consideration window is quite limited for deciding to pay or negotiate. Conventionally, we might not want to pay the ransomware, but things are not always black and white. The attack will be a cost to business – directly and indirectly. The ultimate choice has to be a wise one.
What’s your take on paying ransomware? Share your thoughts in the comments!
